ACT CSO’s data Nirvana built around role-based encryption, identity controls

Centralisation and consolidation of information assets may be a long-term goal for the ACT government’s head of information security, but he warns that it won’t happen without the ubiquitous use of encryption and tight management of user and device identities across the territory.

“My Nirvana of security, and I am trying to enable this, is to have one copy of an application that presents accurate and timely information to a predefined number of customer sets,” ACT government senior manager for security Peter Major said at the recent lt;igt;CSO Perspectives Roadshowlt;/igt; in Canberra.

“With one instance of any database, it stores information to be presented to be displayed to defined customer sets. But this requires being able to divide customers into ‘trusted’ and ‘untrusted’, and to present a single interface with appropriate data sets being based off appropriate authentication.”

Building such a data focused authentication schema was a long-term priority for Major. As head of the ACT’s information security efforts, he faces the mammoth task of ensuring security of information spread across 10 core directorates, 13 public authorities, and state and local government services that collectively involve over 300 internal websites, 200 externally hosted websites from multiple ISPs, and three “separate and disparate” gateways for education, the ACT executive government, and the Canberra Institute of Technology (CIT).

With more than 18,000 public servants, 30,000 VoIP endpoints and 70,000 CIT students alone, “we have a large area to cover”, Major said. “I have electronic information scattered across my entire internal environment, and shedloads of unstructured data floating around the place. We don’t know exactly where it is, but it’s on the network and on external sites as well – and it has to be protected to comply with a number of laws.”

Those obligations were driving the need for stronger user-based authentication – to positively identify the remote user – as well as authorisation that would feed the trusted/untrusted determination. Untrusted users might be given a low level of access without authentication; semi trusted corporate entities could use certificate based authentication to limited resources; and trusted employees would be managed using out-of-band multifactor authentication to a broad set of resources.

Part of the risk assessment would be based on the user’s ‘posture’, including the device and network they were using to access the government services.

Yet it is the use of multiple-key encryption technology – with quantum-based key management systems to ensure random number generation via use of the KMIP protocol – that would complete the security paradigm, by allowing data to be encrypted based on particular applications.

This would allow highly granular control of application-specific or particular classes of data – keys would be based on authentication, authority and resource paths – that could see different users given different data from the same single source of the truth.

A member of the general public, for example, could get low-level access to access bus timetable information while a senior transport executive could access the same database to get detailed information on route utilisation and efficiency “to work out how many bus drivers to lay off given the low usage of some bus routes within the ACT”.

“Both parties would be accessing the same application and same database, but with vastly different sensitivities.”

Taking this approach would not only better protect data according to differing service classes, but would prevent any later breach of the encryption from giving malicious hackers the keys to the proverbial kingdom.

“I should be trying to ensure that when my network is compromised – and it’s going to come – the perpetrator can’t get access to the information on the network,” Major said.

“Encryption is the end all and be all of everything: in this way, if the network is compromised all they’re going to do is get a look at nothing. They might damage the integrity of the data if they change it, but if it is damaged or changed you can’t decrypt it.”

For now, Major is sticking with conventional perimeter-based protections, but as authentication-based data protection evolves in the near future he expects a greater reliance on role-based access management and highly-granular encryption.

“In the long term I should have less, not more, applications and infrastructure to deliver information to appropriate consumers,” he said. “If I can present with a minimal amount of infrastructure and maximum amounts of security, I have achieved an objective. And, in the future, this security model will make our data centres redundant – and we can start moving our data to anywhere in the cloud [with the same protections.”